[Yandex Cloud documentation](../../index.md) > [Yandex Managed Service for Trino](../index.md) > [Step-by-step guides](index.md) > Clusters > Managing cluster access

# Managing access to a Managed Service for Trino cluster

You can assign a user or service account a [role](../security.md) that grants access to a specific [cluster](../concepts/index.md).

This way, you can granularly assign different roles for specific clusters to different users and service accounts.


## Getting a list of roles assigned for a cluster {#list-access-bindings}

{% list tabs group=instructions %}

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. To get a list of clusters in the default [folder](../../resource-manager/concepts/resources-hierarchy.md#folder), run this command:

      ```bash
      yc managed-trino cluster list
      ```

  1. To get a list of roles assigned for the cluster, run this command:

      ```bash
      yc managed-trino cluster list-access-bindings <cluster_name_or_ID>
      ```

- REST API {#api}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and place it in an environment variable:

      ```bash
      export IAM_TOKEN="<IAM_token>"
      ```

  1. Call the [Cluster.ListAccessBindings](../api-ref/Cluster/listAccessBindings.md) method, e.g., via the following [cURL](https://curl.se/) request:

      ```bash
      curl \
        --request GET \
        --header "Authorization: Bearer $IAM_TOKEN" \
        --header "Content-Type: application/json" \
        --url 'https://trino.api.cloud.yandex.net/managed-trino/v1/clusters/<cluster_ID>:listAccessBindings'
      ```

  1. View the [server response](../api-ref/Cluster/listAccessBindings.md#yandex.cloud.access.ListAccessBindingsResponse) to make sure your request was successful.

- gRPC API {#grpc-api}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and place it in an environment variable:

      ```bash
      export IAM_TOKEN="<IAM_token>"
      ```

  1. Clone the [cloudapi](https://github.com/yandex-cloud/cloudapi) repository:
     
     ```bash
     cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi
     ```
     
     Below, we assume that the repository contents reside in the `~/cloudapi/` directory.
  1. Call the [ClusterService.ListAccessBindings](../api-ref/grpc/Cluster/listAccessBindings.md) method, e.g., via the following [gRPCurl](https://github.com/fullstorydev/grpcurl) request:

      ```bash
      grpcurl \
        -format json \
        -import-path ~/cloudapi/ \
        -import-path ~/cloudapi/third_party/googleapis/ \
        -proto ~/cloudapi/yandex/cloud/trino/v1/cluster_service.proto \
        -rpc-header "Authorization: Bearer $IAM_TOKEN" \
        -d '{
              "resource_id": "<cluster_ID>"
            }' \
        trino.api.cloud.yandex.net:443 \
        yandex.cloud.trino.v1.ClusterService.ListAccessBindings
      ```

  1. Check the [server response](../api-ref/grpc/Cluster/listAccessBindings.md#yandex.cloud.access.ListAccessBindingsResponse) to make sure your request was successful.

{% endlist %}


## Assigning a role {#add-access-binding}

{% list tabs group=instructions %}

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. View the description of the CLI command for assigning a role for a cluster:

      ```bash
      yc managed-trino cluster add-access-binding --help
      ```

  1. Use this command to assign a role:

      ```bash
      yc managed-trino cluster add-access-binding <cluster_name_or_ID> \
        --role <role> \
        --subject <subject_type>:<subject_ID>
      ```

      Where:

      * `--role`: [Role](../security.md#roles-list) being assigned, e.g., `managed-trino.editor`.
      * `--subject`: Type and ID of the [subject](../../iam/concepts/access-control/index.md#subject) you are assigning the role to, in `<subject_type>:<subject_ID>` format.

          Here is an example:

          * `serviceAccount:aje6p030************`
          * `userAccount:aje8tj79************`
          * `system:allAuthenticatedUsers`

          The possible subject types include:
          
          * `userAccount`: [Yandex account](../../iam/concepts/users/accounts.md#passport) added to Yandex Cloud or an account from a [user pool](../../organization/concepts/user-pools.md).
          * `serviceAccount`: [Service account](../../iam/concepts/users/service-accounts.md) created in Yandex Cloud.
          * `federatedUser`: Account of an [identity federation](../../organization/concepts/add-federation.md) user.
          * `system`: [Public group](../../iam/concepts/access-control/public-group.md) of users.
          
              The possible values of a subject ID are as follows:
          
              * `allAuthenticatedUsers`: [All authenticated users](../../iam/concepts/access-control/public-group.md#allAuthenticatedUsers).
              * `allUsers`: [Any user](../../iam/concepts/access-control/public-group.md#allUsers). No authentication is required.
              * `group:organization:<organization_ID>:users`: All users of the specified [organization](../../organization/concepts/organization.md).
              * `group:federation:<federation_ID>:users`: All users of the specified identity federation.
          
          To learn more about subject types, see [Subject getting the role](../../iam/concepts/access-control/index.md#subject).

  1. To view a list of roles assigned for the cluster, run this command:

      ```bash
      yc managed-trino cluster list-access-bindings <cluster_name_or_ID>
      ```

- REST API {#api}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and place it in an environment variable:

      ```bash
      export IAM_TOKEN="<IAM_token>"
      ```

  1. Call the [Cluster.UpdateAccessBindings](../api-ref/Cluster/updateAccessBindings.md) method, e.g., via the following [cURL](https://curl.se/) request:

      ```bash
      curl \
        --request PATCH \
        --header "Authorization: Bearer $IAM_TOKEN" \
        --header "Content-Type: application/json" \
        --url 'https://trino.api.cloud.yandex.net/managed-trino/v1/clusters/<cluster_ID>:updateAccessBindings' \
        --data '{
                  "access_binding_deltas": [
                    {
                      "action": "ADD",
                      "access_binding": {
                        "role_id": "<role>",
                        "subject": {
                          "id": "<subject_ID>",
                          "type": "<subject_type>"
                        }
                      }
                    }
                  ]
                }'
      ```

      Where:

      * `access_binding_deltas.roleId`: [Role](../security.md#roles-list) being assigned, e.g., `managed-trino.editor`.
      * `access_binding_deltas.subject.id`: ID of the [subject](../../iam/concepts/access-control/index.md#subject) the role is assigned to.
      * `access_binding_deltas.subject.type`: Type of subject the role is assigned to.

          The possible subject types include:
          
          * `userAccount`: [Yandex account](../../iam/concepts/users/accounts.md#passport) added to Yandex Cloud or an account from a [user pool](../../organization/concepts/user-pools.md).
          * `serviceAccount`: [Service account](../../iam/concepts/users/service-accounts.md) created in Yandex Cloud.
          * `federatedUser`: Account of an [identity federation](../../organization/concepts/add-federation.md) user.
          * `system`: [Public group](../../iam/concepts/access-control/public-group.md) of users.
          
              The possible values of a subject ID are as follows:
          
              * `allAuthenticatedUsers`: [All authenticated users](../../iam/concepts/access-control/public-group.md#allAuthenticatedUsers).
              * `allUsers`: [Any user](../../iam/concepts/access-control/public-group.md#allUsers). No authentication is required.
              * `group:organization:<organization_ID>:users`: All users of the specified [organization](../../organization/concepts/organization.md).
              * `group:federation:<federation_ID>:users`: All users of the specified identity federation.
          
          To learn more about subject types, see [Subject getting the role](../../iam/concepts/access-control/index.md#subject).

  1. Check the [server response](../api-ref/Cluster/updateAccessBindings.md#yandex.cloud.operation.Operation) to make sure your request was successful.

- gRPC API {#grpc-api}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and place it in an environment variable:

     ```bash
     export IAM_TOKEN="<IAM_token>"
     ```

  1. Clone the [cloudapi](https://github.com/yandex-cloud/cloudapi) repository:
     
     ```bash
     cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi
     ```
     
     Below, we assume that the repository contents reside in the `~/cloudapi/` directory.
  1. Call the [ClusterService.UpdateAccessBindings](../api-ref/grpc/Cluster/updateAccessBindings.md) method, e.g., via the following [gRPCurl](https://github.com/fullstorydev/grpcurl) request:

      ```bash
      grpcurl \
        -format json \
        -import-path ~/cloudapi/ \
        -import-path ~/cloudapi/third_party/googleapis/ \
        -proto ~/cloudapi/yandex/cloud/trino/v1/cluster_service.proto \
        -rpc-header "Authorization: Bearer $IAM_TOKEN" \
        -d '{
              "resource_id": "<cluster_ID>",
              "access_binding_deltas": [
                {
                  "action": "ADD",
                  "access_binding": {
                    "role_id": "<role>",
                    "subject": {
                      "id": "<subject_ID>",
                      "type": "<subject_type>"
                    }
                  }
                }
              ]
            }' \
        trino.api.cloud.yandex.net:443 \
        yandex.cloud.trino.v1.ClusterService.UpdateAccessBindings
      ```

      Where:

      * `resource_id`: Cluster ID.
      * `access_binding_deltas.roleId`: [Role](../security.md#roles-list) being assigned, e.g., `managed-trino.editor`.
      * `access_binding_deltas.subject.id`: ID of the [subject](../../iam/concepts/access-control/index.md#subject) the role is assigned to.
      * `access_binding_deltas.subject.type`: Type of subject the role is assigned to.

          The possible subject types include:
          
          * `userAccount`: [Yandex account](../../iam/concepts/users/accounts.md#passport) added to Yandex Cloud or an account from a [user pool](../../organization/concepts/user-pools.md).
          * `serviceAccount`: [Service account](../../iam/concepts/users/service-accounts.md) created in Yandex Cloud.
          * `federatedUser`: Account of an [identity federation](../../organization/concepts/add-federation.md) user.
          * `system`: [Public group](../../iam/concepts/access-control/public-group.md) of users.
          
              The possible values of a subject ID are as follows:
          
              * `allAuthenticatedUsers`: [All authenticated users](../../iam/concepts/access-control/public-group.md#allAuthenticatedUsers).
              * `allUsers`: [Any user](../../iam/concepts/access-control/public-group.md#allUsers). No authentication is required.
              * `group:organization:<organization_ID>:users`: All users of the specified [organization](../../organization/concepts/organization.md).
              * `group:federation:<federation_ID>:users`: All users of the specified identity federation.
          
          To learn more about subject types, see [Subject getting the role](../../iam/concepts/access-control/index.md#subject).

  1. Check the [server response](../api-ref/grpc/Cluster/updateAccessBindings.md#yandex.cloud.operation.Operation) to make sure your request was successful.

{% endlist %}

## Assigning multiple roles {#set-access-bindings}

{% list tabs group=instructions %}

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  {% note alert %}

  The `set-access-bindings` command deletes all roles assigned for the cluster and assigns new ones.

  {% endnote %}

  1. To view a list of roles assigned for the cluster, run this command:

      ```bash
      yc managed-trino cluster list-access-bindings <cluster_name_or_ID>
      ```

  1. View the description of the CLI command for assigning roles for a cluster:

      ```bash
      yc managed-trino cluster set-access-bindings --help
      ```

  1. To assign roles, run this command:

      ```bash
      yc managed-trino cluster set-access-bindings <cluster_name_or_ID> \
        --access-binding role=<role>,subject=<subject_type>:<subject_1_ID> \
        --access-binding role=<role>,subject=<subject_type>:<subject_2_ID>
      ```

      Where `--access-binding` assigns a role to a subject. You can assign multiple roles at once by describing each of them in a separate `--access-binding` parameter.

      * `role`: [Role](../security.md#roles-list) being assigned, e.g., `managed-trino.editor`.
      * `subject`: Type and ID of the [subject](../../iam/concepts/access-control/index.md#subject) you are assigning the role to, in `<subject_type>:<subject_ID>` format.

          Here is an example:

          * `serviceAccount:aje6p030************`
          * `userAccount:aje8tj79************`
          * `system:allAuthenticatedUsers`

          The possible subject types include:
          
          * `userAccount`: [Yandex account](../../iam/concepts/users/accounts.md#passport) added to Yandex Cloud or an account from a [user pool](../../organization/concepts/user-pools.md).
          * `serviceAccount`: [Service account](../../iam/concepts/users/service-accounts.md) created in Yandex Cloud.
          * `federatedUser`: Account of an [identity federation](../../organization/concepts/add-federation.md) user.
          * `system`: [Public group](../../iam/concepts/access-control/public-group.md) of users.
          
              The possible values of a subject ID are as follows:
          
              * `allAuthenticatedUsers`: [All authenticated users](../../iam/concepts/access-control/public-group.md#allAuthenticatedUsers).
              * `allUsers`: [Any user](../../iam/concepts/access-control/public-group.md#allUsers). No authentication is required.
              * `group:organization:<organization_ID>:users`: All users of the specified [organization](../../organization/concepts/organization.md).
              * `group:federation:<federation_ID>:users`: All users of the specified identity federation.
          
          To learn more about subject types, see [Subject getting the role](../../iam/concepts/access-control/index.md#subject).

- REST API {#api}

  {% note alert %}

  The `setAccessBindings` method overwrites access permissions for the resource. All roles previously assigned for this resource will be deleted.

  {% endnote %}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and place it in an environment variable:

      ```bash
      export IAM_TOKEN="<IAM_token>"
      ```

  1. Call the [Cluster.SetAccessBindings](../api-ref/Cluster/setAccessBindings.md) method, e.g., via the following [cURL](https://curl.se/) request:

      ```bash
      curl \
        --request POST \
        --header "Authorization: Bearer $IAM_TOKEN" \
        --header "Content-Type: application/json" \
        --url 'https://trino.api.cloud.yandex.net/managed-trino/v1/clusters/<cluster_ID>:setAccessBindings' \
        --data '{
                  "accessBindings": [
                    {
                      "roleId": "<role>",
                      "subject": {
                        "id": "<subject_1_ID>",
                        "type": "<subject_type>"
                      }
                    },
                    {
                      "roleId": "<role>",
                      "subject": {
                        "id": "<subject_2_ID>",
                        "type": "<subject_type>"
                      }
                    },
                    ...
                    {
                      "roleId": "<role>",
                      "subject": {
                        "id": "<subject_N_ID>",
                        "type": "<subject_type>"
                      }
                    }
                  ]
                }'
      ```

      Where:

      * `accessBindings.roleId`: [Role](../security.md#roles-list) being assigned, e.g., `managed-trino.editor`.
      * `accessBindings.subject.id`: ID of the [subject](../../iam/concepts/access-control/index.md#subject) the role is assigned to.
      * `accessBindings.subject.type`: Type of subject the role is assigned to.

          The possible subject types include:
          
          * `userAccount`: [Yandex account](../../iam/concepts/users/accounts.md#passport) added to Yandex Cloud or an account from a [user pool](../../organization/concepts/user-pools.md).
          * `serviceAccount`: [Service account](../../iam/concepts/users/service-accounts.md) created in Yandex Cloud.
          * `federatedUser`: Account of an [identity federation](../../organization/concepts/add-federation.md) user.
          * `system`: [Public group](../../iam/concepts/access-control/public-group.md) of users.
          
              The possible values of a subject ID are as follows:
          
              * `allAuthenticatedUsers`: [All authenticated users](../../iam/concepts/access-control/public-group.md#allAuthenticatedUsers).
              * `allUsers`: [Any user](../../iam/concepts/access-control/public-group.md#allUsers). No authentication is required.
              * `group:organization:<organization_ID>:users`: All users of the specified [organization](../../organization/concepts/organization.md).
              * `group:federation:<federation_ID>:users`: All users of the specified identity federation.
          
          To learn more about subject types, see [Subject getting the role](../../iam/concepts/access-control/index.md#subject).

  1. Check the [server response](../api-ref/Cluster/setAccessBindings.md#yandex.cloud.operation.Operation) to make sure your request was successful.

- gRPC API {#grpc-api}

  {% note alert %}

  The `ClusterService.SetAccessBindings` method completely overwrites access permissions for the resource. All roles previously assigned for this resource will be deleted.

  {% endnote %}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and place it in an environment variable:

     ```bash
     export IAM_TOKEN="<IAM_token>"
     ```

  1. Clone the [cloudapi](https://github.com/yandex-cloud/cloudapi) repository:
     
     ```bash
     cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi
     ```
     
     Below, we assume that the repository contents reside in the `~/cloudapi/` directory.
  1. Call the [ClusterService.SetAccessBindings](../api-ref/grpc/Cluster/setAccessBindings.md) method, e.g., via the following [gRPCurl](https://github.com/fullstorydev/grpcurl) request:

      ```bash
      grpcurl \
        -format json \
        -import-path ~/cloudapi/ \
        -import-path ~/cloudapi/third_party/googleapis/ \
        -proto ~/cloudapi/yandex/cloud/trino/v1/cluster_service.proto \
        -rpc-header "Authorization: Bearer $IAM_TOKEN" \
        -d '{
              "resource_id": "<cluster_ID>",
              "accessBindings": [
                {
                  "roleId": "<role>",
                  "subject": {
                    "id": "<subject_1_ID>",
                    "type": "<subject_type>"
                  }
                },
                {
                  "roleId": "<role>",
                  "subject": {
                    "id": "<subject_2_ID>",
                    "type": "<subject_type>"
                  }
                },
                ...
                {
                  "roleId": "<role>",
                  "subject": {
                    "id": "<subject_N_ID>",
                    "type": "<subject_type>"
                  }
                }
              ]
            }' \
        trino.api.cloud.yandex.net:443 \
        yandex.cloud.trino.v1.ClusterService.SetAccessBindings
      ```

      Where:

      * `resource_id`: Cluster ID.
      * `accessBindings.roleId`: [Role](../security.md#roles-list) being assigned, e.g., `managed-trino.editor`.
      * `accessBindings.subject.id`: ID of the [subject](../../iam/concepts/access-control/index.md#subject) the role is assigned to.
      * `accessBindings.subject.type`: Type of subject the role is assigned to.

          The possible subject types include:
          
          * `userAccount`: [Yandex account](../../iam/concepts/users/accounts.md#passport) added to Yandex Cloud or an account from a [user pool](../../organization/concepts/user-pools.md).
          * `serviceAccount`: [Service account](../../iam/concepts/users/service-accounts.md) created in Yandex Cloud.
          * `federatedUser`: Account of an [identity federation](../../organization/concepts/add-federation.md) user.
          * `system`: [Public group](../../iam/concepts/access-control/public-group.md) of users.
          
              The possible values of a subject ID are as follows:
          
              * `allAuthenticatedUsers`: [All authenticated users](../../iam/concepts/access-control/public-group.md#allAuthenticatedUsers).
              * `allUsers`: [Any user](../../iam/concepts/access-control/public-group.md#allUsers). No authentication is required.
              * `group:organization:<organization_ID>:users`: All users of the specified [organization](../../organization/concepts/organization.md).
              * `group:federation:<federation_ID>:users`: All users of the specified identity federation.
          
          To learn more about subject types, see [Subject getting the role](../../iam/concepts/access-control/index.md#subject).

  1. Check the [server response](../api-ref/grpc/Cluster/setAccessBindings.md#yandex.cloud.operation.Operation) to make sure your request was successful.

{% endlist %}

## Revoking a role {#remove-access-binding}

{% list tabs group=instructions %}

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. To view a list of roles assigned for the cluster, run this command:

      ```bash
      yc managed-trino cluster list-access-bindings <cluster_name_or_ID>
      ```

  1. View the description of the CLI command for revoking a role for a cluster:

      ```bash
      yc managed-trino cluster remove-access-binding --help
      ```
  1. To revoke a role, run this command:

      ```bash
      yc managed-trino cluster remove-access-binding <cluster_name_or_ID> \
        --role <role> \
        --subject <subject_type>:<subject_ID>
      ```

      Where:

      * `--role`: [Role](../security.md#roles-list) being revoked, e.g., `managed-trino.editor`.
      * `--subject`: Type and ID of the [subject](../../iam/concepts/access-control/index.md#subject) the role is assigned to, in `<subject_type>:<subject_ID>` format.

          Here is an example:

          * `serviceAccount:aje6p030************`
          * `userAccount:aje8tj79************`
          * `system:allAuthenticatedUsers`

          The possible subject types include:
          
          * `userAccount`: [Yandex account](../../iam/concepts/users/accounts.md#passport) added to Yandex Cloud or an account from a [user pool](../../organization/concepts/user-pools.md).
          * `serviceAccount`: [Service account](../../iam/concepts/users/service-accounts.md) created in Yandex Cloud.
          * `federatedUser`: Account of an [identity federation](../../organization/concepts/add-federation.md) user.
          * `system`: [Public group](../../iam/concepts/access-control/public-group.md) of users.
          
              The possible values of a subject ID are as follows:
          
              * `allAuthenticatedUsers`: [All authenticated users](../../iam/concepts/access-control/public-group.md#allAuthenticatedUsers).
              * `allUsers`: [Any user](../../iam/concepts/access-control/public-group.md#allUsers). No authentication is required.
              * `group:organization:<organization_ID>:users`: All users of the specified [organization](../../organization/concepts/organization.md).
              * `group:federation:<federation_ID>:users`: All users of the specified identity federation.
          
          To learn more about subject types, see [Subject getting the role](../../iam/concepts/access-control/index.md#subject).

- REST API {#api}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and place it in an environment variable:

      ```bash
      export IAM_TOKEN="<IAM_token>"
      ```

  1. Call the [Cluster.UpdateAccessBindings](../api-ref/Cluster/updateAccessBindings.md) method, e.g., via the following [cURL](https://curl.se/) request:

      ```bash
      curl \
        --request PATCH \
        --header "Authorization: Bearer $IAM_TOKEN" \
        --header "Content-Type: application/json" \
        --url 'https://trino.api.cloud.yandex.net/managed-trino/v1/clusters/<cluster_ID>:updateAccessBindings' \
        --data '{
                  "access_binding_deltas": [
                    {
                      "action": "REMOVE",
                      "access_binding": {
                        "role_id": "<role>",
                        "subject": {
                          "id": "<subject_ID>",
                          "type": "<subject_type>"
                        }
                      }
                    }
                  ]
                }'
      ```

      Where:

      * `access_binding_deltas.roleId`: [Role](../security.md#roles-list) being assigned, e.g., `managed-trino.editor`.
      * `access_binding_deltas.subject.id`: ID of the [subject](../../iam/concepts/access-control/index.md#subject) the role is assigned to.
      * `access_binding_deltas.subject.type`: Type of subject the role is assigned to.

          The possible subject types include:
          
          * `userAccount`: [Yandex account](../../iam/concepts/users/accounts.md#passport) added to Yandex Cloud or an account from a [user pool](../../organization/concepts/user-pools.md).
          * `serviceAccount`: [Service account](../../iam/concepts/users/service-accounts.md) created in Yandex Cloud.
          * `federatedUser`: Account of an [identity federation](../../organization/concepts/add-federation.md) user.
          * `system`: [Public group](../../iam/concepts/access-control/public-group.md) of users.
          
              The possible values of a subject ID are as follows:
          
              * `allAuthenticatedUsers`: [All authenticated users](../../iam/concepts/access-control/public-group.md#allAuthenticatedUsers).
              * `allUsers`: [Any user](../../iam/concepts/access-control/public-group.md#allUsers). No authentication is required.
              * `group:organization:<organization_ID>:users`: All users of the specified [organization](../../organization/concepts/organization.md).
              * `group:federation:<federation_ID>:users`: All users of the specified identity federation.
          
          To learn more about subject types, see [Subject getting the role](../../iam/concepts/access-control/index.md#subject).

  1. Check the [server response](../api-ref/Cluster/updateAccessBindings.md#yandex.cloud.operation.Operation) to make sure your request was successful.

- gRPC API {#grpc-api}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and place it in an environment variable:

     ```bash
     export IAM_TOKEN="<IAM_token>"
     ```

  1. Clone the [cloudapi](https://github.com/yandex-cloud/cloudapi) repository:
     
     ```bash
     cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi
     ```
     
     Below, we assume that the repository contents reside in the `~/cloudapi/` directory.
  1. Call the [ClusterService.UpdateAccessBindings](../api-ref/grpc/Cluster/updateAccessBindings.md) method, e.g., via the following [gRPCurl](https://github.com/fullstorydev/grpcurl) request:

      ```bash
      grpcurl \
        -format json \
        -import-path ~/cloudapi/ \
        -import-path ~/cloudapi/third_party/googleapis/ \
        -proto ~/cloudapi/yandex/cloud/trino/v1/cluster_service.proto \
        -rpc-header "Authorization: Bearer $IAM_TOKEN" \
        -d '{
              "resource_id": "<cluster_ID>",
              "access_binding_deltas": [
                {
                  "action": "REMOVE",
                  "access_binding": {
                    "role_id": "<role>",
                    "subject": {
                      "id": "<subject_ID>",
                      "type": "<subject_type>"
                    }
                  }
                }
              ]
            }' \
        trino.api.cloud.yandex.net:443 \
        yandex.cloud.trino.v1.ClusterService.UpdateAccessBindings
      ```

      Where:

      * `resource_id`: Cluster ID.
      * `access_binding_deltas.roleId`: [Role](../security.md#roles-list) being assigned, e.g., `managed-trino.editor`.
      * `access_binding_deltas.subject.id`: ID of the [subject](../../iam/concepts/access-control/index.md#subject) the role is assigned to.
      * `access_binding_deltas.subject.type`: Type of subject the role is assigned to.

          The possible subject types include:
          
          * `userAccount`: [Yandex account](../../iam/concepts/users/accounts.md#passport) added to Yandex Cloud or an account from a [user pool](../../organization/concepts/user-pools.md).
          * `serviceAccount`: [Service account](../../iam/concepts/users/service-accounts.md) created in Yandex Cloud.
          * `federatedUser`: Account of an [identity federation](../../organization/concepts/add-federation.md) user.
          * `system`: [Public group](../../iam/concepts/access-control/public-group.md) of users.
          
              The possible values of a subject ID are as follows:
          
              * `allAuthenticatedUsers`: [All authenticated users](../../iam/concepts/access-control/public-group.md#allAuthenticatedUsers).
              * `allUsers`: [Any user](../../iam/concepts/access-control/public-group.md#allUsers). No authentication is required.
              * `group:organization:<organization_ID>:users`: All users of the specified [organization](../../organization/concepts/organization.md).
              * `group:federation:<federation_ID>:users`: All users of the specified identity federation.
          
          To learn more about subject types, see [Subject getting the role](../../iam/concepts/access-control/index.md#subject).

  1. Check the [server response](../api-ref/grpc/Cluster/updateAccessBindings.md#yandex.cloud.operation.Operation) to make sure your request was successful.

{% endlist %}

## Examples {#examples}

### Granting cluster management access to a service account {#sa-cluster-control}

For a service account to be able to view the info of all Managed Service for Trino clusters in the folder but modify the resources in one particular cluster alone, give it the `managed-trino.viewer` role for the folder and the `managed-trino.editor` role for that cluster:

{% list tabs group=instructions %}

- CLI {#cli}

  1. Assign the role for the folder:

      ```bash
      yc resource-manager folder add-access-binding <folder_name_or_ID> \
        --role managed-trino.viewer \
        --subject=serviceAccount:<service_account_ID>
      ```

  1. Assign the roles for the cluster:

      ```bash
      yc managed-trino cluster add-access-bindings <cluster_name_or_ID> \
        --access-binding role=managed-trino.editor,subject=serviceAccount:<service_account_ID>
      ```

  1. Check the list of roles assigned for the cluster:

      ```bash
      yc managed-trino cluster list-access-bindings <cluster_name_or_ID>
      ```

- REST API {#api}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and place it in an environment variable:

      ```bash
      export IAM_TOKEN="<IAM_token>"
      ```

  1. Assign the role for the folder:

      ```bash
      curl \
        --request POST \
        --header "Authorization: Bearer $IAM_TOKEN" \
        --header "Content-Type: application/json" \
        --url 'https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/<folder_ID>:updateAccessBindings' \
        --data '{
                  "access_binding_deltas": [
                    {
                      "action": "ADD",
                      "access_binding": {
                        "role_id": "managed-trino.viewer",
                        "subject": {
                          "id": "<service_account_ID>",
                          "type": "serviceAccount"
                        }
                      }
                    }
                  ]
                }'
      ```

      `access_binding_deltas.subject.id`: ID of the service account the role is assigned to.

  1. Call the [Cluster.UpdateAccessBindings](../api-ref/Cluster/updateAccessBindings.md) method, e.g., via the following [cURL](https://curl.se/) request:

      ```bash
      curl \
        --request PATCH \
        --header "Authorization: Bearer $IAM_TOKEN" \
        --header "Content-Type: application/json" \
        --url 'https://trino.api.cloud.yandex.net/managed-trino/v1/clusters/<cluster_ID>:updateAccessBindings' \
        --data '{
                  "access_binding_deltas": [
                    {
                      "action": "ADD",
                      "access_binding": {
                        "role_id": "managed-trino.editor",
                        "subject": {
                          "id": "<service_account_ID>",
                          "type": "serviceAccount"
                        }
                      }
                    }
                  ]
                }'
      ```

      `access_binding_deltas.subject.id`: ID of the service account the role is assigned to.

  1. Check the list of roles assigned for the folder:

      ```bash
      curl \
        --request GET \
        --header "Authorization: Bearer $IAM_TOKEN" \
        --header "Content-Type: application/json" \
        --url 'https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/<folder_ID>:updateAccessBindings'
      ```

  1. Check the list of roles assigned for the cluster:

      ```bash
      curl \
        --request GET \
        --header "Authorization: Bearer $IAM_TOKEN" \
        --header "Content-Type: application/json" \
        --url 'https://trino.api.cloud.yandex.net/managed-trino/v1/clusters/<cluster_ID>:listAccessBindings'
      ```

- gRPC API {#grpc-api}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and place it in an environment variable:

     ```bash
     export IAM_TOKEN="<IAM_token>"
     ```

  1. Clone the [cloudapi](https://github.com/yandex-cloud/cloudapi) repository:
     
     ```bash
     cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi
     ```
     
     Below, we assume that the repository contents reside in the `~/cloudapi/` directory.
  1. Assign the role for the folder:

      ```bash
      grpcurl \
        -format json \
        -import-path ~/cloudapi/ \
        -import-path ~/cloudapi/third_party/googleapis/ \
        -proto ~/cloudapi/yandex/cloud/resourcemanager/v1/folder_service.proto \
        -rpc-header "Authorization: Bearer $IAM_TOKEN" \
        -d '{
              "resource_id": "<cluster_ID>",
              "access_binding_deltas": [
                {
                  "action": "ADD",
                  "access_binding": {
                    "role_id": "managed-trino.viewer",
                    "subject": {
                      "id": "<service_account_ID>",
                      "type": "serviceAccount"
                    }
                  }
                }
              ]
            }' \
        resource-manager.api.cloud.yandex.net:443 \
        yandex.cloud.resourcemanager.v1.FolderService.UpdateAccessBindings
      ```

      `access_binding_deltas.subject.id`: ID of the service account the role is assigned to.

  1. Assign the role for the cluster:

      ```bash
      grpcurl \
        -format json \
        -import-path ~/cloudapi/ \
        -import-path ~/cloudapi/third_party/googleapis/ \
        -proto ~/cloudapi/yandex/cloud/trino/v1/cluster_service.proto \
        -rpc-header "Authorization: Bearer $IAM_TOKEN" \
        -d '{
              "resource_id": "<cluster_ID>",
              "access_binding_deltas": [
                {
                  "action": "ADD",
                  "access_binding": {
                    "role_id": "managed-trino.editor",
                    "subject": {
                      "id": "<service_account_ID>",
                      "type": "serviceAccount"
                    }
                  }
                }
              ]
            }' \
        trino.api.cloud.yandex.net:443 \
        yandex.cloud.trino.v1.ClusterService.UpdateAccessBindings
      ```

      `access_binding_deltas.subject.id`: ID of the service account the role is assigned to.

  1. Check the list of roles assigned for the folder:

      ```bash
      grpcurl \
        -format json \
        -import-path ~/cloudapi/ \
        -import-path ~/cloudapi/third_party/googleapis/ \
        -proto ~/cloudapi/yandex/cloud/resourcemanager/v1/folder_service.proto \
        -rpc-header "Authorization: Bearer $IAM_TOKEN" \
        -d '{
              "resource_id": "<folder_ID>"
            }' \
        resource-manager.api.cloud.yandex.net:443 \
        yandex.cloud.resourcemanager.v1.FolderService.ListAccessBindings
      ```

  1. Check the list of roles assigned for the cluster:

      ```bash
      grpcurl \
        -format json \
        -import-path ~/cloudapi/ \
        -import-path ~/cloudapi/third_party/googleapis/ \
        -proto ~/cloudapi/yandex/cloud/trino/v1/cluster_service.proto \
        -rpc-header "Authorization: Bearer $IAM_TOKEN" \
        -d '{
              "resource_id": "<cluster_ID>"
            }' \
        trino.api.cloud.yandex.net:443 \
        yandex.cloud.trino.v1.ClusterService.ListAccessBindings
      ```

{% endlist %}